{"description": "Enterprise techniques mitigated by Update Software, ATT&CK mitigation M1051 (v1.1)", "name": "Update Software (M1051)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "comment": "Perform regular software updates to mitigate exploitation risk.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "Consider updating Windows to the latest version and patch level to utilize the latest protective measures against UAC bypass.(Citation: Github UACMe)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "showSubtechniques": true}, {"techniqueID": "T1110.001", "comment": "Upgrade management services to the latest supported and compatible version.  Specifically, any version providing increased password complexity or policy enforcement preventing default or weak passwords. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "comment": "Perform regular software updates to mitigate exploitation risk.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555.005", "comment": "Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1602", "comment": "Keep system images and software updated and migrate to SNMPv3.(Citation: Cisco Blog Legacy Device Attacks)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1602.001", "comment": "Keep system images and software updated and migrate to SNMPv3.(Citation: Cisco Blog Legacy Device Attacks)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1602.002", "comment": "Keep system images and software updated and migrate to SNMPv3.(Citation: Cisco Blog Legacy Device Attacks)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1686", "showSubtechniques": true}, {"techniqueID": "T1686.002", "comment": "Ensure the network firewall is up to date with security patches.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1189", "comment": "Ensuring that all browsers and plugins are kept updated can help prevent the exploit phase of this technique. Use modern browsers with security features turned on.(Citation: Browser-updates)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1611", "comment": "Ensure that hosts are kept up-to-date with security patches. ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "comment": "Perform regular software updates to mitigate exploitation risk.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1546.010", "comment": "Upgrade to Windows 8 or later and enable secure boot.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546.011", "comment": "Microsoft released an optional patch update - KB3045645 - that will remove the \"auto-elevate\" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1190", "comment": "Update software regularly by employing patch management for externally exposed applications.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1203", "comment": "Perform regular software updates to mitigate exploitation risk. Keeping software up-to-date with the latest security patches helps prevent adversaries from exploiting known vulnerabilities in client software, reducing the risk of successful attacks.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1212", "comment": "Update software regularly by employing patch management for internal enterprise endpoints and servers.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "Update software regularly by employing patch management for internal enterprise endpoints and servers.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1211", "comment": "Update software regularly by employing patch management for internal enterprise endpoints and servers.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1210", "comment": "Update software regularly by employing patch management for internal enterprise endpoints and servers.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1495", "comment": "Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "comment": "Update software regularly to include patches that fix DLL side-loading vulnerabilities.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "Update software regularly to include patches that fix DLL side-loading vulnerabilities.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137", "comment": "For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1137.003", "comment": "For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137.004", "comment": "For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137.005", "comment": "For the Outlook methods, blocking macros may be ineffective as the Visual Basic engine used for these features is separate from the macro scripting engine.(Citation: SensePost Outlook Forms) Microsoft has released patches to try to address each issue. Ensure KB3191938 which blocks Outlook Visual Basic and displays a malicious code warning, KB4011091 which disables custom forms by default, and KB4011162 which removes the legacy Home Page feature, are applied to systems.(Citation: SensePost Outlook Home Page)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542", "comment": "Patch the BIOS and EFI as necessary.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542.001", "comment": "Patch the BIOS and EFI as necessary.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542.002", "comment": "Perform regular firmware updates to mitigate risks of exploitation and/or abuse.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1072", "comment": "Patch deployment systems regularly to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1176", "comment": "Ensure operating systems and software are using the most current version. ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1176.001", "comment": "Ensure operating systems and browsers are using the most current version. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1176.002", "comment": "Ensure operating systems and IDEs are using the most current version. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "Regularly update web browsers, password managers, and all related software to the latest versions. Keeping software up-to-date reduces the risk of vulnerabilities being exploited by attackers to extract stored credentials or session cookies.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1195", "comment": "A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1195.001", "comment": "A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1195.002", "comment": "A patch management process should be implemented to check unused applications, unmaintained and/or previously vulnerable software, unnecessary features, components, files, and documentation.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "comment": "Apply patch KB2962486 which prevents credentials from being stored in GPPs.(Citation: ADSecurity Finding Passwords in SYSVOL)(Citation: MS14-025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.006", "comment": "Apply patch KB2962486 which prevents credentials from being stored in GPPs.(Citation: ADSecurity Finding Passwords in SYSVOL)(Citation: MS14-025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.002", "comment": "Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.(Citation: NSA Spotting) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Update Software", "color": "#66b1ff"}]}